The Identity Management Norm and the Challenge We Face.

brandoncarroll over 8 years ago 3 minute read time

Network Access of Old

I remember back in the days when I worked at the phone company. We had a security desk right inside the door and at the counter was a desktop that had the company directory on it. What didn’t make a lot of sense to me was that the Ethernet port was on the front of the wall, not behind the counter. Anyone could walk into the office and unplug the corporate directory PC and plug their own in. DHCP would give them an address and they were on the LAN. Sad thing is that people did. I would come walking in from lunch and often see some random guy copping a squat on the floor with his laptop connected. Back they we really didn’t have a clear way of preventing access to the network.

What We Used to Do

Prior to 802.1X we did have a few solutions but they had their limitations. One way we could control things was by using a VLAN Membership Policy Server (VMPS). With a VMPS the MAC address would dictate which VLAN you were assigned to. If you were not listed in our database you would not get a VLAN assignment on the LAN. The drawback here was that you had to manage the MAC database. If an employee had a NIC failure and the NIC were replaced, we would have to remember to update the database. This happened a lot back when the laptops had a PCMCIA NIC with the flimsy dongle.

Another way we would control network access was with Port Security. This of course only worked if your switch supported the feature. If it did you had a few ways to handle business. You could enter the MAC that should be connected to each port and then limit the number of MAC addresses to 1. This didn’t scale well either. We could sticky learn the MAC which helped, but again, scalability issues. So even though we had a few solutions, nothing was really a great fit. Fast forward to today and 802.1X is the clear fit. While we had 802.1X back then, or at least we started to see it, client support was limited.

Network Access Today

Today we still don’t have all the answers. We primarily use 802.1X and EAP to authenticate and authorize a user on a switch port or on a wireless SSID. This method of controlling access works well because we have much better support for EAP in our native supplicants today. For some of the more advanced EAP methods we have clients like Cisco Anyconnect. Using 802.1X and an external authentication server scales better than the previous solutions discussed in this article. Along with the scalability comes a great deal of context data that’s useful in determining who is connecting, where they are connecting, how they are connecting and so on. From a policy perspective this is fantastic. We have a level of visibility today that we didn’t have back in my early days. Still, the solution isn’t perfect and there are still some things we need to address, like all that log data.

Where Do the Logs Go?

Your identity management solution is but one source of log information that you’re receiving. You have the logs from the switches, APs, and Firewalls where your VPN is terminating. There’s a handful of logging solutions out there that can handle the volume we see on most networks today. The key to consuming log data is not just being able to store it and handle the shear amount of data being received, but its also being able to use the data in a meaningful way. So what are some of the things you’d need to identify? A good solution would help identify users on the network that are doing things that aren’t exactly normal. When you consider the prevalence of Bontnets and DDoS attacks it would be advantageous to implement a solution that would identify if your assets are participating in these types of attacks.

The attacks here are just a few examples. There are many more. But I’ll leave this post with two questions:

What are you implementing as your Identity Management Solution?
How are you using the log data from that solution and other network devices to mitigate attacks and minimize unauthorized activity on your network?

Top Comments

Jfrazier over 8 years ago +1

SIEM applications are one way to look for attacks and unauthorized activity as well as log file tools such as splunk where you can index and build queries to look for patterns or events in near time. …
network_defender over 8 years ago +1

Great perspective. We have come a long way.

tcbene over 8 years ago

That is interesting that although physical security was prevalent for the building network security was overlooked from the physical aspect. Good article.
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
brandoncarroll over 8 years ago

Good point.
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
brandoncarroll over 8 years ago

The allowed hardware can be a challenge but using ISE to control the BYOD onboarding can certainly make it a little less painful. If the policies are built right you can easily identify the BYOD devices vs. the corp assets. You may have some tweaking of the Profiler policies involved but that's not a bad thing.
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
cahunt over 8 years ago

Awesome Blast of the past reminder! I wish I had more insight into the logging of users and access - but info sec and account admin take care of that bag. Though regular audits on account use might prevent an old user from coming back and using a service account to gain access.
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
mcam over 8 years ago

its interesting that WiFi actually has much better basic security than a wired network.
At least pretty much every AP allows mac address filtering etc
Simple solution to stop drive by plugins would be to remove all public plugs and use wifi
Way cheaper than a huge NAC system,
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel